speckit-plan
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill explicitly instructs the agent to execute shell scripts from the repository.
- Evidence: Step 1 of the Workflow requires running
.specify/scripts/bash/setup-plan.sh. Phase 1 requires running.specify/scripts/bash/update-agent-context.sh. - Risk: If an attacker can modify the files within the
.specify/directory, they can achieve arbitrary code execution on the user's machine when this skill is invoked. - [PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection through its primary data sources.
- Evidence: The skill ingests
specs/<feature>/spec.mdand "User-provided constraints" to drive the planning workflow. - Capability Inventory: The agent has the ability to write multiple files to the filesystem (
research.md,data-model.md, etc.) and execute bash scripts. - Boundary Markers: There are no explicit boundary markers or instructions to ignore nested commands within the specification files.
- Sanitization: No evidence of sanitization for the data extracted from the spec files before it is used to generate research tasks or passed to update scripts.
- [DATA_EXFILTRATION] (LOW): While no direct network calls are visible, the "Research agents" mentioned in Phase 0 could potentially be tasked with external lookups.
- Risk: If the research process is not strictly sandboxed, it could be leveraged to leak details of the local environment or codebase.
Recommendations
- AI detected serious security threats
Audit Metadata